IE Zero Day Watering Hole Attack Injects Malicious Payload into Memory

A new watering hole attack is serving malware targeting an Internet Explorer vulnerability that injects its malicious payload directly into memory.

Microsoft may be promising a relatively light Patch Tuesday release tomorrow, but that doesn’t mean its researchers and developers won’t have their hands full. Not only is Microsoft busy on a patch for the TIFF zero day vulnerability reported two weeks ago, but now another previously unreported Internet Explorer bug has landed on its queue.

Last Friday, researchers at FireEye reported a new watering hole attack against an unnamed U.S.-based non-governmental organization (NGO) website hosting domestic and international policy guidance. FireEye director of threat intelligence Darien Kindlund said it is still unclear how the attackers compromised the website. The exploit code is targeting a new bug in IE and infecting victims via drive-by downloads. That exploit targets an information leakage vulnerability as well as a memory issue in IE that allows remote code execution. Various versions of IE on Windows XP and Windows 7 are impacted by these attacks, which can be mitigated by Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), FireEye said.

The payload—a variant of the McRAT Trojan—is injected directly into memory making detection and forensic investigation a challenge. FireEye has also made a connection between these attacks, which it is calling Operation Ephemeral Hydra, and the earlier DeputyDog attack. DeputyDog, so named after a string found in the attack code, surfaced in September and was limited at the time to a number of popular Japanese media websites. The malware was used to gather intelligence, stealing documents and system data from computers belonging to government, high tech and manufacturing companies in Japan. Kindlund said it is unclear what types of information are being stolen in this current campaign.

“Based on our visibility into this threat actor’s targeting preferences, it appears the threat actor is interested in industry-specific intelligence,” Kindlund said.

So far, FireEye said, the new IE zero day is limited to this one unnamed website, which unlike other watering hole attacks, is not spiked with a malicious iframe or redirecting compromised machines to an attacker-controlled site where more malware is downloaded. Instead, the shellcode is directly injected into memory, which is a new twist on these types of targeted attacks.

“By using memory-only methods, the attack is exceptionally difficult for network defenders to detect, when trying to examine and confirm which endpoints are infected, using traditional disk-based forensics methods,” Kindlund said.

The malicious payload goes through a number of steps before it is executed, including three levels of XOR decoding before the McRAT variant, identified as Trojan.APT.9002, takes over the infected machine. Those various types of encoding and decoding introduce complexity that could stymie traditional detection technologies, Kindlund said, adding that the malware is also fairly lightweight meaning the victim would not notice anything happening on their machine.

By injecting the malware into memory, however does present some limitations to the attackers. The lack of persistence, for example, means the attackers must exfiltrate data quickly before the machine is rebooted by the user, which would wipe the Trojan from memory.

“This means that the attacker must quickly get onto the infected endpoint and exfiltrate data or move laterally within the compromised network before the endpoint is rebooted/reset,” Kindlund said. “If the endpoint reboots or resets, then the malware is completely wiped from the endpoint and the attacker will have to re-infect the system again.”

“Alternatively, the use of this non-persistent first stage may suggest that the attackers were confident that their intended targets would simply revisit the compromised website and be re-infected,” FireEye said.

By choosing this means of infection, also limits the amount of automation involved, Kindlund said.

“This sort of activity requires more man-power; because of this, it appears the attacker turned the exploit ‘on’ and ‘off’ at will throughout this campaign, in order to limit the number of infected systems, because they did not have proper resources to scale and automate this portion of the attack (it was all human driven),” Kindlund said. “As a result of turning the exploit ‘on’ and ‘off’, it also made network defender’s jobs more difficult to verify the attack was still occurring throughout the campaign.”

This version of Trojan.APT.9002 connects to a command and control server housed at 111[.]68[.]9[.]93 using port 443, FireEye said, though it uses a different protocol for communication than previous versions. The researchers were also able to piece together, from an analysis of the MD5 hash, that it shared behaviors of other McRAT variants, including a domain dll[.]freshdns[.]org used in the DeputyDog campaign.

“We believe there is a link between this campaign and DeputyDog; however, we do not have enough evidence to confirm that the threat actor is one in the same,” Kindlund said. “Possible theories at this time are that: 1) there are multiple, related threat actors are reusing the same infrastructure or 2) it is the same threat actor responsible for both campaigns.”

Suggested articles